The first Microsoft bulletin of the year, MS11-01, only affects Windows Vista and is classified by Microsoft as "important". For those not running Vista, this patch can safely be ignored. It’s easier for smaller organizations to keep up with operating system upgrades and patches on desktop systems. However, if your organization has over 10,000 desktops, upgrading all of them is a daunting task. I really like the idea of using "cloud computing" for this purpose. Yes, I’m suggesting that we use “cloud computing” to improve security! However, in this case, I am talking about a cloud that operates and is managed within the organization, not by a third party. If you are planning on putting your applications and data in, for example, Amazon’s cloud, then you are outsourcing your security to Amazon. It may be better to implement your own cloud to control the security and data. Rather than hosting all of your software and data on a laptop or desktop, the laptop or desktop just gives you access to the applications and data. This is not a new concept, but as more and more laptops will be lost or stolen and client-applications will have vulnerabilities, I believe it’s a logical solution to the problem.
While many talk about the dangers of the cloud, can we actually use the cloud to improve security?
The shocking part of this month's “Patch Tuesday” release is that Microsoft is not offering patches in two security advisories, including Windows Graphics Rendering Engine (Security Advisory 2490606) or the vulnerability affecting Internet Explorer (Security Advisory 2488013)." Microsoft reports that the Internet Explorer vulnerability is being exploited in the wild, so I'm at a loss to explain why a patch has not been released.
To further aid in your efforts to evaluate the dangers of the vulnerabilities addressed by Microsoft Patch Tuesday, Tenable's Research team has published plugins for each of the security bulletins issued this month:
- MS11-001 - Nessus Plugin ID 51454 (Credentialed Check)
- MS11-001 - Nessus Plugin ID 51455 (Credentialed Check)
- Microsoft Security Bulletin Summary for January 20101
- OSVDB Microsoft Bulletins - Complete Reference
- January 2011 Security Bulletin Release (Microsoft Security Response Center Blog)